webhookconfig

package
v1.6.0-rc3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 4, 2022 License: Apache-2.0 Imports: 46 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var DefaultWebhookTimeout int64 = 10

Functions

This section is empty.

Types

type Interface added in v1.4.0

type Interface interface {
	// Run starts the certManager
	Run(stopCh <-chan struct{})

	// InitTLSPemPair initializes the TLSPemPair
	// it should be invoked by the leader
	InitTLSPemPair()

	// GetTLSPemPair gets the existing TLSPemPair from the secret
	GetTLSPemPair() (*ktls.PemPair, error)
}

func NewCertManager added in v1.4.0

func NewCertManager(secretInformer informerv1.SecretInformer, kubeClient kubernetes.Interface, certRenewer *ktls.CertRenewer, log logr.Logger, stopCh <-chan struct{}) (Interface, error)

type Monitor added in v1.3.0

type Monitor struct {
	// contains filtered or unexported fields
}

Monitor stores the last webhook request time and monitors registered webhooks.

If a webhook is not received in the idleCheckInterval the monitor triggers a change in the Kyverno deployment to force a webhook request. If no requests are received after idleDeadline the webhooks are deleted and re-registered.

Each instance has an in-memory flag lastSeenRequestTime, recording the last received admission timestamp by the current instance. And the latest timestamp (latestTimestamp) is recorded in the annotation of the Kyverno deployment, this annotation could be updated by any instance. If the duration from latestTimestamp is longer than idleCheckInterval, the monitor triggers an annotation update; otherwise lastSeenRequestTime is updated to latestTimestamp.

Webhook configurations are checked every tickerInterval across all instances. Currently the check only queries for the expected resource name, and does not compare other details like the webhook settings.

func NewMonitor added in v1.3.0

func NewMonitor(kubeClient kubernetes.Interface, log logr.Logger) (*Monitor, error)

NewMonitor returns a new instance of webhook monitor

func (*Monitor) Run added in v1.3.0

func (t *Monitor) Run(register *Register, certRenewer *tls.CertRenewer, eventGen event.Interface, stopCh <-chan struct{})

Run runs the checker and verify the resource update

func (*Monitor) SetTime added in v1.3.0

func (t *Monitor) SetTime(tm time.Time)

SetTime updates the last request time

func (*Monitor) Time added in v1.3.0

func (t *Monitor) Time() time.Time

Time returns the last request time

type Register added in v1.3.0

type Register struct {
	UpdateWebhookChan chan bool
	// contains filtered or unexported fields
}

Register manages webhook registration. There are five webhooks: 1. Policy Validation 2. Policy Mutation 3. Resource Validation 4. Resource Mutation 5. Webhook Status Mutation

func NewRegister added in v1.3.0

func NewRegister(
	clientConfig *rest.Config,
	client *client.Client,
	kyvernoClient *kyvernoclient.Clientset,
	mwcInformer adminformers.MutatingWebhookConfigurationInformer,
	vwcInformer adminformers.ValidatingWebhookConfigurationInformer,
	resCache resourcecache.ResourceCache,
	kDeplInformer informers.DeploymentInformer,
	nsInformer coreinformers.NamespaceInformer,
	pInformer kyvernoinformer.ClusterPolicyInformer,
	npInformer kyvernoinformer.PolicyInformer,
	serverIP string,
	webhookTimeout int32,
	debug bool,
	autoUpdateWebhooks bool,
	stopCh <-chan struct{},
	log logr.Logger) *Register

NewRegister creates new Register instance

func (*Register) Check added in v1.3.0

func (wrc *Register) Check() error

Check returns an error if any of the webhooks are not configured

func (*Register) GetKubePolicyClusterRoleName added in v1.5.2

func (wrc *Register) GetKubePolicyClusterRoleName() (*unstructured.Unstructured, error)

func (*Register) GetKubePolicyDeployment added in v1.3.5

func (wrc *Register) GetKubePolicyDeployment() (*apps.Deployment, *unstructured.Unstructured, error)

GetKubePolicyDeployment gets Kyverno deployment using the resource cache it does not initialize any client call

func (*Register) GetWebhookTimeOut added in v1.3.0

func (wrc *Register) GetWebhookTimeOut() time.Duration

GetWebhookTimeOut returns the value of webhook timeout

func (*Register) Register added in v1.3.0

func (wrc *Register) Register() error

Register clean up the old webhooks and re-creates admission webhooks configs on cluster

func (*Register) Remove added in v1.3.0

func (wrc *Register) Remove(cleanUp chan<- struct{})

Remove removes all webhook configurations

func (*Register) Start added in v1.6.0

func (wrc *Register) Start()

func (*Register) UpdateWebhookConfigurations added in v1.4.0

func (wrc *Register) UpdateWebhookConfigurations(configHandler config.Interface)

UpdateWebhookConfigurations updates resource webhook configurations dynamically based on the UPDATEs of Kyverno ConfigMap defined in INIT_CONFIG env

it currently updates namespaceSelector only, can be extend to update other fields +deprecated

func (*Register) ValidateWebhookConfigurations added in v1.4.0

func (wrc *Register) ValidateWebhookConfigurations(namespace, name string) error

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL